diff options
author | Robbie Harwood <rharwood@redhat.com> | 2016-03-17 17:17:27 +0000 |
---|---|---|
committer | Robbie Harwood <rharwood@redhat.com> | 2016-03-17 17:17:30 +0000 |
commit | 7b4e88e425b05ac9c7ab88447f6797117916f62a (patch) | |
tree | 57358597da08dcc77c9c046e093c7d4faa3850b0 | |
parent | f1cb770b53923018ec6c35e981d160db219286f9 (diff) | |
download | krb5-7b4e88e425b05ac9c7ab88447f6797117916f62a.tar.gz krb5-7b4e88e425b05ac9c7ab88447f6797117916f62a.tar.xz krb5-7b4e88e425b05ac9c7ab88447f6797117916f62a.zip |
Backport OID mech fix
Resolves: #1317609
-rw-r--r-- | krb5-1.14.2-Revisit-inquire_attrs_for_mech-on-old-mechs.patch | 39 | ||||
-rw-r--r-- | krb5.spec | 8 |
2 files changed, 46 insertions, 1 deletions
diff --git a/krb5-1.14.2-Revisit-inquire_attrs_for_mech-on-old-mechs.patch b/krb5-1.14.2-Revisit-inquire_attrs_for_mech-on-old-mechs.patch new file mode 100644 index 0000000..66dd166 --- /dev/null +++ b/krb5-1.14.2-Revisit-inquire_attrs_for_mech-on-old-mechs.patch @@ -0,0 +1,39 @@ +From 89683d1f135765e91041f3a239af865b11aaf86b Mon Sep 17 00:00:00 2001 +From: Greg Hudson <ghudson@mit.edu> +Date: Tue, 15 Mar 2016 17:45:26 -0400 +Subject: [PATCH] Revisit inquire_attrs_for_mech on old mechs + +In gss_inquire_attrs_for_mech(), if the mech does not implement RFC +5587, return success with empty mech_attrs and known_mech_attrs sets +to indicate a lack of knowledge for all attributes. The previous +behavior of returning an error caused gss_indicate_mechs_by_attr() to +fail out in the presence of an old mechanism, in turn causing +gss_acquire_cred() and SPNEGO to break. + +ticket: 8358 +--- + src/lib/gssapi/mechglue/g_mechattr.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/lib/gssapi/mechglue/g_mechattr.c b/src/lib/gssapi/mechglue/g_mechattr.c +index 08a6008..e49651e 100644 +--- a/src/lib/gssapi/mechglue/g_mechattr.c ++++ b/src/lib/gssapi/mechglue/g_mechattr.c +@@ -181,8 +181,12 @@ gss_inquire_attrs_for_mech( + mech = gssint_get_mechanism(selected_mech); + if (mech == NULL) + return GSS_S_BAD_MECH; +- else if (mech->gss_inquire_attrs_for_mech == NULL) +- return GSS_S_UNAVAILABLE; ++ ++ /* If the mech does not implement RFC 5587, return success with an empty ++ * mech_attrs and known_mech_attrs. */ ++ if (mech->gss_inquire_attrs_for_mech == NULL) ++ return GSS_S_COMPLETE; ++ + public_mech = gssint_get_public_oid(selected_mech); + status = mech->gss_inquire_attrs_for_mech(minor, public_mech, mech_attrs, + known_mech_attrs); +-- +2.7.0 + @@ -13,7 +13,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.14.1 -Release: 1%{?dist} +Release: 2%{?dist} # - Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar # - The sources below are stored in a lookaside cache. Upload with @@ -64,6 +64,7 @@ Patch158: krb5-1.14.1-interpose-enable-inquire_attrs_for_mech.patch Patch159: krb5-1.14.1-interpose-fix-inquire_attrs_for_mech.patch Patch160: krb5-1.14.1-interpose-inquire_saslname_for_mech.patch Patch161: krb5-1.14.1-interpose-public_oid_fixups.patch +Patch162: krb5-1.14.2-Revisit-inquire_attrs_for_mech-on-old-mechs.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -244,6 +245,7 @@ ln NOTICE LICENSE %patch159 -p1 -b .interpose-fix-inquire_attrs_for_mech %patch160 -p1 -b .interpose-inquire_saslname_for_mech %patch161 -p1 -b .interpose-public_oid_fixups +%patch162 -p1 -b .inquire_attrs_for_mech-on-old-mechs # Take the execute bit off of documentation. chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html @@ -766,6 +768,10 @@ exit 0 %changelog +* Thu Mar 17 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.1-2 +- Backport OID mech fix +- Resolves: #1317609 + * Mon Feb 29 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.1-1 - New rawhide, new upstream version - Drop CVE patches |